[Cloud Computing] Virtual Private Cloud VPC

1 Introduction

The full name of VPC is virtual private cloudVirtual Private Cloud when translated into Chinese . But in some cases it is also translated into private network or dedicated network , etc. This may inevitably cause confusion. Does VPC refer to the cloud or the network? In fact, VPC is both a cloud and a network model, but this should be viewed from the service and technology perspectives respectively.

1.1 Basic introduction

From a service perspective, VPC refers to a cloud, a cloud computing service, and a resource that runs on a public cloud and isolates a portion of the public cloud resources for a user to use privately. gather. It is managed by the public cloud and runs on public resources, but it ensures that the resources between each user are isolated. Users are not affected by other users when using it, and they feel like they are using their own private cloud.

In this sense, VPC is not a network. We can compare VPC with a literally similar concept: VPN( Virtual Private Network). VPN virtually isolates user networks on public network resources. For example, IPsec VPNit can build tunnels connecting users' private networks on the Internet, MPLS VPNor directly divide isolated VRFs on the operator's PE equipment to different users. From the perspective of service provision, if VPC refers only to the network, then it is the same concept as VPN. Therefore, from the perspective of the services provided by the public cloud, VPC should be understood as a collection of isolated resources provided to users.

Users can create one or more VPCs on the public cloud, one VPC for each department. Create VPC connections for departments that need connectivity. At the same time, users can also connect their internal data center to the VPC on the public cloud through VPN to form a hybrid cloud. Regardless of the use case, VPC allows users to design how to store their data on the public cloud in a more intuitive way.

From a technical perspective, VPC is a layer 2 network exclusive to users.

1.2 The role of VPC

Users can easily manage and configure internal networks through VPC, and make safe and fast network changes. At the same time, users can customize access rules for elastic cloud servers within security groups and between groups to strengthen the security protection of elastic cloud servers.

1.3 Applicable groups of VPC

VPC is designed for customers who are interested in taking advantage of the benefits of cloud computing, but have concerns about certain aspects of the cloud. To meet customer needs, many public cloud providers design a VPC that provides a portion of the provider's public infrastructure but with dedicated cloud servers, virtual networks, cloud storage, and private ID addresses reserved for VPC customers.

In general, a VPC is a cloud computing service. It is also sometimes referred to as a " private cloud ," but there are subtle differences because a VPC is a private cloud provided through a third-party provider's infrastructure rather than the enterprise's IT infrastructure. .

Virtual private cloud builds an isolated and private virtual network environment for cloud resources such as cloud servers, cloud containers, and cloud databases. You can fully control your own private network, and VPC's rich functions help you flexibly manage your cloud network, including creating subnets, setting security groups and network ACLs, managing routing tables, and applying for elastic public IP and bandwidth. In addition, you can interconnect VPC with traditional data centers through cloud dedicated lines, VPN and other services, flexibly integrate resources, and build a hybrid cloud network.

VPC uses network virtualization technology to ensure network security, stability, and high availability through link redundancy, distributed gateway clusters, multi-AZ deployment and other technologies.

2. Basic concepts of VPC

A virtual private network (Virtual Private Cloud,VPC) is an exclusive network space built by users. Cloud resources can be deployed in the virtual network, which is very similar to the traditional network running in the data center. Complete logical isolation between different private networks. Users can customize the network environment, including selecting their own IP address range, creating subnets, and configuring routing tables and network gateways. At the same time, the private network supports multiple ways to connect to the Internet, other VPCs, and local data centers.

2.1 Basic concepts related to VPC

VPC CIDR : Classless Inter-Domain Routing (Classless Inter-Domain Routing) is a method of classifying IP addresses for assigning IP addresses to users and routing IP packets efficiently on the Internet. The CIDR of a cloud vendor's VPC generally requires the private (non-publicly routable) IP address range specified in RFC 1918.

At the same time, cloud vendors also support IPV6 network addresses. In order to limit the IP scale of private networks, 16-bit addresses are generally supported, such as 10.0.0.0/16or 192.168.0.0/16. In order to expand the number of IPs in a single VPC space, some cloud vendors support the function of multiple CIDRs in one VPC. As shown in the figure below, VPC 10.0.0.0/16expands from , to 10.0.0.0/16and 10.2.0.0/16.

Subnet : An IP address range within a VPC. The subnet is generally assigned a Subnet CIDR from the VPC CIDR. For example, the CIDR of the VPC is, and thesubnet10.0.0.0/16is assigned to10.0.0.0/24.10.0.1.0/24

Elastic network interfaces : IP addresses that enable resources in a VPC to communicate with each other and with resources on the Internet. Each instance in a VPC has a default network interface (the primary network interface), which is assigned a private IPv4 address within the VPC's IPv4 address range. Generally, users cannot disconnect the main network interface from an instance (for example, a slave), but can create additional network interfaces and mount them to any instance in the VPC. When moving a network interface from one instance to another , network traffic is also redirected to the new instance. The VPC instance includes the following virtual network interfaces:

• One primary private IPv4 address
• One or more secondary private IPv4 addresses
• One elastic IP address per private IPv4 address
• eth0A public IPv4 address that can be automatically assigned to the network interface when launching an instance
• One or more IPv6 addresses
• One or more security groups
• MAC address

Routing table : A set of rules called " routes " that determine where to send network traffic. Each subnet must be associated with a route table that specifies the available routes that allow outbound traffic to leave the subnet. Each subnet is automatically associated with the VPC's main route table, as shown in the following table.

Destination	Target
$10.0.0.0/16$	local

Users can also customize routing tables and routing policies to control the forwarding of traffic. As shown in the figure below, different routing tables have different forwarding paths for network traffic. where igw-idrepresents the Internet gateway ID .

Network Gateway : A gateway connected to a VPC that enables communication between resources in the VPC and the Internet. For example, Internet gateways , NAT devices connect the VPC to the Internet, VPN connections or Direct Connect connections connect the VPC to the user's local network.

VPC Endpoint (endpoint): Privately connect your VPC to supported cloud services and the VPC Endpoint service (powered by PrivateLink) without the need for an Internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in a VPC do not require public IP addresses to communicate with resources in the service.

2.2 Other related basic concepts

Region : Regions or large regions are isolated from each other to achieve maximum fault tolerance and stability.

Availability Zones : Each region has multiple isolated locations called Availability Zones . When launching an instance, users can select an Availability Zone. If instances are spread across multiple Availability Zones and one instance fails, your application can be designed so that an instance in another Availability Zone can handle the request.

Local Zones : Currently AWS supports Local Zones. Local Zones are extensions of AWS Regions that are geographically close to your users. The local zone has its own Internet connection and supports AWS Direct Connect, so resources created in the local zone can provide ultra-low latency communication to local users.

Wavelength Zones : Currently AWS supports Wavelength Zones. Using AWS Wavelength, developers can build ultra-low latency applications for mobile devices and end users. Wavelength can deploy AWS standard computing and storage services to the edge of telecom operators' 5G networks. Developers can extend a VPC into one or more Wavelength Regions and then use AWS resources such as Amazon EC2 instances to run applications that require ultra-low latency and connectivity to AWS services in the region.

3.VPC communication scenario

This chapter mainly introduces the communication scenarios of VPC.

3.1 VPC internal intercommunication

By default, slave machines in the same subnet under the VPC can communicate with each other. For example, the VPC's 10.0.0.0/16subnet 10.0.0.0/24and 10.0.1.0/24associated routing table will have a 10.0.0.0/16routing policy with destination network segment as Local and Target as Local.

Destination	Target
$10.0.0.0/16$	local
$2001:db8:1234:1a00::/56$	tgw-id

You can configure security groups ( Security Group) and ACLs to prevent machines in the same VPC from communicating with each other.

3.2 Intercommunication between VPCs

3.2.1 Peer-to-Peer Connection

A VPC peering connection is a network connection between two VPCs that allows users to route traffic between the two VPCs using private IPv4 addresses or IPv6 addresses. Instances in the two VPCs can communicate with each other as if they were in the same network. Users can create VPC peering connections between their own VPCs, or between their own VPCs and VPCs in other accounts. VPCs can be locatedRegionin different regions ( ).

3.2.2 Transit Gateway or cloud networking

AWS's Transit Gateway is a network transit center that can be used to interconnect VPCs and local networks . A similar product to Alibaba Cloud is Cloud Enterprise Network , and a similar product to Tencent Cloud is Cloud Network .

Each VPC has a route table, and the Transit Gateway has a route table.

(1) VPC routing table

Each VPC has a route table with 2 entries. The first entry is the default entry for local IPv4 routing in the VPC; this entry allows instances in this VPC to communicate with each other. The second entry routes all other IPv4 subnet traffic to the Transit Gateway.

Destination	Target
$10.1.0.0/16$	local
$0.0.0.0/0$	tgw-id

(2) Transit Gateway routing table

Default route where route propagation is enabled.

Destination	Target	Route Type
$10.1.0.0/16$	Attachment for VPC A	propagated
$10.2.0.0/16$	Attachment for VPC B	propagated
$10.3.0.0/16$	Attachment for VPC C	propagated
$10.99.99.0/24$	Attachment for VPN connection	propagated

Alibaba Cloud Enterprise Network Interoperability

Tencent Cloud Internet Interoperability

3.3 Access the Internet

3.3.1 Internet gateway

The configuration for this scenario consists of a VPC with a single public subnet, and an Internet gateway to enable Internet communication.

3.3.2 NAT gateway

Instances in the public subnet can send outbound traffic directly to the Internet, and instances in the private subnet can access the Internet using a Network Address Translation ( NAT) gateway located in the public subnet . NATFor example, a public subnet runs a public-facing web application, and the database server is located in a private subnet without exposing back-end services. In this way, the database server can use a NAT gateway to connect to the Internet for software updates, but the Internet cannot be established to the database server. Connection.

3.4 Access local network

3.4.1 VPN connection

A site-to-site VPN connection consists of two VPN tunnels between a virtual private gateway or transit gateway in the cloud and the customer gateway device located in the data centerA customer gateway device is a physical or software device that is configured on the user's side of a site-to-site VPN connection.

3.4.2 Dedicated line access

Direct Connect links the user's internal network to the Direct Connect location via standard Ethernet fiber optic cables. One end of the cable is connected to the user's router and the other end is connected to the Direct Connect router . With this connection in place, users can create direct connections to cloud services, bypassing Internet service providers in the network path. At present, cloud vendors generally support two types of access. One is that the user directly connects to the cloud vendor's dedicated line access point ; the other is that the user connects to the cloud vendor's partner , and then the partner connects to the cloud vendor's dedicated line access point. .

3.4.3 SD_WAN access service

SD-WAN access service (SD-WAN Access Service) helps multiple branches to easily realize any interconnection with the cloud and data center. It has the characteristics of plug-and-play, global coverage, intelligent management and control, etc., and provides a simpler, more reliable and smarter one-stop for enterprise multiple branches. A unique cloud migration experience.

AWS's SD-WAN deploys partners' SD-WAN services in VPC machines and provides interoperability between Transit Gateway and other instances of the cloud network. Alibaba Cloud and Tencent Cloud will sell SD-WAN equipment separately.

Among them, Edge devices are in the form of hardware devices. After installing Edge devices in user IDCs, branches, and stores, they can automatically connect to the cloud network.

3.5 Extend local networks to the cloud

Note: This chapter mainly uses AWS cloud services for introduction.

3.5.1 Expand VPC resources to local expansion zone

By assigning the VPC subnet to a Local Zone, various cloud services can be run in a geographical location close to end users. The local zone has local Internet access to reduce latency. Local zones also support Direct Connect, giving users the opportunity to route traffic over a private network connection.

3.5.2 Expand VPC resources into Outposts

AWS Outposts is a fully managed service that delivers the same cloud infrastructure, cloud services, APIs, and tools to virtually any data center, colocation space, or on-premises facility for a truly consistent hybrid experience.

Outposts provides a set of cloud hardware and services. For private network VPC, subnets are allocated to Outposts. There are two interoperability models, one is dedicated line access, and the other is to provide Internet interoperability.

(1) Dedicated line mode

(2) Internet mode

3.5.3 Extend VPC resources to Wavelength area

Wavelength can deploy AWS standard computing and storage services to the edge of telecom operators' 5G networks. Developers can extend an Amazon VPC into one or more Wavelength Regions and then use EC2AWS resources such as Amazon Elastic Compute Cloud ( ) instances to run applications that require ultra-low latency and connectivity to AWS services in the region.

3.6 PrivateLink 和 VPC Endponit

VPC endpoints enable users to privately connect a VPC to supported cloud services and VPC endpoint services (powered by PrivateLink) without the need for an Internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in a VPC do not require public IP addresses to communicate with resources in the service. Communication between the VPC and other services does not leave the cloud network. For example, the DNS service provided by the cloud service provider does not need to access the DNS service of the Internet. Access to the DNS service can be completed in the cloud service provider's internal environment.

3.6.1 VPC Endpoint

VPC endpoints enable private connections between a user's VPC and cloud services, as well as VPC endpoint services powered by PrivateLink.

Interface Endpoints : An elastic network interface with a private IP address from a subnet IP address range that serves as the entry point for communications sent to supported services.

Instances in subnet 1 can communicate with Amazon Kinesis Data Streams through the public IP address space in the AWS Region using their default DNS names.

In the above image, private DNS is enabled for the endpoint. Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using the default DNS hostname or an endpoint-specific DNS hostname.

Gateway Load Balancer Endpoints : It is a gateway that serves as the target of the route specified in the routing table for traffic sent to supported cloud services, such as AWS's Amazon S3, DynamoDB, Tencent Cloud's COS, CDB and other services.

Instances in subnet 2 can access Amazon S3 through the gateway endpoint.

3.6.2 PrivateLink

Service providers create their own applications in the VPC and configure them as PrivateLink-backed services (also called endpoint services). Other users can use the interface VPC endpoint to create connections between their VPC and your endpoint service.

PrivateLink service providers configure instances of the service running in their VPCs, with Network Load Balancers as front-ends, connecting intra-region VPC peering (VPCs in the same region) and inter-region VPC peering (VPCs in different regions). ) used in conjunction with PrivateLink allows private access to consumers across VPC peering connections.

4. Comparison of cloud vendor VPCs

For VPC, mainstream cloud vendors basically have similar functions and implementations. In terms of VPC connection, the basic functions of cloud vendors are also similar, with subtle product details and partially different product capabilities.

4.1 Differences between private networks

Google Cloud Platform( GCP)'s private network is different from other cloud vendors. Features of GCP VPC:

• VPC networks, including their associated routing and firewall rules, are global resources and are not tied to any specific region or region.
• Subnets are regional resources. Each subnet defines a range of IP addresses.

4.2 Differences in dedicated line access

Domestic cloud vendors Alibaba Cloud and Tencent Cloud will support static routing and BGP dynamic routing for dedicated line access, while AWS only supports BGP dynamic routing. There are also differences in whether dedicated line access supports NAT.

4.3 Transit Gateway or cloud networking

Currently, Transit Gateway is responsible for the connection and interoperability of local network instances. Transit Gateway Peering is required to cross regions. Tencent Cloud's Cloud Network and Alibaba Cloud's Cloud Enterprise Network can support the connection and interoperability of network instances in different regions. In terms of routing control, AWS uses multiple routing tables and the control granularity is finer.

4.4 SD-WAN access service

AWS's SD-WAN deploys partners' SD-WAN services in VPC machines and provides interoperability between Transit Gateway and other instances of the cloud network. Alibaba Cloud and Tencent Cloud will sell SD-WAN equipment separately.

5. Summary and outlook

As one of the IaaS layer infrastructures, private network VPC plays a similar role in the national economy as highways or high-speed rails. It has been constantly pursuing the vision of high-speed cloud and global interconnection, and the development of private network VPC on the cloud is cloud infrastructure and A true reflection of the continuous expansion and improvement of services. It is believed that private network VPC will continue to expand new application scenarios and services in the future, facilitating efficient and intelligent interconnection of services on and off the cloud.